Cisco AMP for Endpoints API

GET /v1/indicators


Returns a list of indicators.

Query Parameters

Name Type Example Values Description
limit Integer 10
offset Integer 20

Show Response Fields

Name Type Description
version String
metadata.links.self String Integer
metadata.results.current_item_count Integer
metadata.results.index Integer
metadata.results.items_per_page Integer
data Array
data[].name String
data[].description String
data[].guid GUID
data[].observed_compromises Integer
data[].severity String
data[].links.indicator String


Fetch list of indicators

Fetch list of indicators


Requires Authorization
GET /v1/indicators
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \


Shortened for readability

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1957
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2789
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"544e2ed5c55c1d3cd35d646333815852"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": ""
    "results": {
      "total": 488,
      "current_item_count": 488,
      "index": 0,
      "items_per_page": 500
  "data": [
      "name": "Crossrider.ioc",
      "description": "Crossrider is a an Adware variant that targets Mac with the intent of displaying ads. It also changes the default home page of Safari and Chrome browsers.",
      "guid": "299952c7-0836-4e0c-9ef2-4d0573185c7b",
      "observed_compromises": 0,
      "severity": "Medium",
      "links": {
        "indicator": ""
      "name": "Dummy.ioc",
      "description": "OSX.Dummy is a poorly executed Trojan variant. It requires users to input their password in order to complete it's install. However, once this is done the malware will have complete access to the whole system, and it will persist itself via a LaunchDaemon.",
      "guid": "91e62438-7576-4964-a6ef-b3ccc94fb3ec",
      "observed_compromises": 0,
      "severity": "Medium",
      "links": {
        "indicator": ""